Summary

The Cloud Router Switch series are highly integrated switches with high performance ARM CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wired unified packet processing.

Warning: This article applies to CRS3xx series switches and not to CRS1xx/CRS2xx series switches.

Features

Features

Description

Forwarding

Configurable ports for switching or routing

Full non-blocking wirespeed switching

Up to 16k MAC entries in Unicast FDB for Layer 2 unicast forwarding

Forwarding Databases works based on IVL

Jumbo frame support

IGMP Snooping support

Mirroring

Various types of mirroring:

Port based mirroring

VLAN based mirroring

MAC based mirroring

VLAN

Fully compatible with IEEE802.1Q and IEEE802.1ad VLAN

4k active VLANs

Flexible VLAN assignment:

Port based VLAN

Protocol based VLAN

MAC based VLAN

VLAN filtering

From any to any VLAN translation

Bonding

Supports 802.3ad (LACP) and balance-xor modes

Up to 8 member ports per bonding interface

Up to 30 bonding interfaces

Hardware automatic failover and load balancing

Quality of Service (QoS)

Ingress traffic limiting

Port based

MAC based

IP based

VLAN based

Protocol based

DSCP based

Port based egress traffic limiting

Port isolation

Applicable for Private VLAN implementation

Access Control List

Ingress ACL tables

Up to 128 ACL rules (limited by RouterOS)

Classification based on ports, L2, L3, L4 protocol header fields

ACL actions include filtering, forwarding and modifying of the protocol header fields

Models

This table clarifies main differences between Cloud Router Switch models.

VLAN

Since RouterOS v6.41 bridges provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge. This set of features makes bridge operation more like a traditional Ethernet switch and allows to overcome Spanning Tree compatibilty issues compared to configuration when tunnel-like VLAN interfaces are bridged. Bridge VLAN Filtering configuration is highly recommended to comply with STP (802.1D), RSTP (802.1w) standards and is mandatory to enable MSTP (802.1s) support in RouterOS.

VLAN Filtering

The main VLAN setting is vlan-filtering which globally controls vlan-awareness and VLAN tag processing in the bridge. If vlan-filtering=no, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).

Note: Since RouterOS v6.41 all VLAN switching related parameters are moved to the bridge section. On CRS3xx series devices VLAN switching must be configured under the bridge section as well, this will not limit the device's performance, CRS3xx is designed to use the built-in switch chip to work with bridge VLAN filtering, you are able to achieve full non-blocking wire-speed switching performance while using bridges and bridge VLAN filtering. Make sure that all bridge ports have the "H" flag, which indicates that the device is using the switch chip to forward packets.

Sub-menu:/interface bridge

Property

Description

vlan-filtering (yes | no; Default: no)

Globally enables or disables VLAN functionality for bridge.

pvid (1..4094; Default: 1)

Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to. It applies e.g. to frames sent from bridge IP and destined to a bridge port.

Specifies allowed ingress frame types on a bridge port. Only has effect when ingress-filtering is enabled.

ingress-filtering (yes | no; Default: no)

Enables or disables ingress filtering, which checks if an entry exists for the ingress port and the VLAN ID in the bridge VLAN table. Should be used with frame-types to specify if the ingress traffic should be tagged or untagged.

Setup examples

Port Based VLAN

Note: It is possible to use the built-in switch chip and the CPU at the same time to create a Switch-Router setup, where a device acts as a switch and as a router at the same time. You can find a configuration example in the CRS-Router guide.

MAC Based VLAN

MAC Based VLAN

Note: The CRS3xx Switch Rule table is used for MAC Based VLAN functionality, it supports up to 128 entries.

Note: MAC-based VLANs will only work properly between switch ports. ACL rules used together with port pvid property will not set the correct VLAN ID when packets are being forwarded to the CPU.

Enable switching on ports by creating a bridge with enabled hw-offloading.

VLAN Tunneling (Q-in-Q)

Since RouterOS v6.43 it is possible to use a provider bridge (IEEE 802.1ad) VLAN filtering and hardware offloading at the same time on CRS3xx series switches. The configuration for CRS3xx switches is described in the Bridge VLAN Tunneling (Q-in-Q) section.

Ingress VLAN translation

It is possible to translate a certain VLAN ID to a different VLAN ID using ACL rules on an ingress port. In this example we create two ACL rules, allowing a bidirectional communication. This can be done by doing the following:

Warning: By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port

(R/M)STP

CRS3xx series switches are capable of running STP, RSTP and MSTP on a hardware level. For more detailed information you should check out the Spanning Tree Protocol manual page.

Bonding

Since RouterOS v6.42 all CRS3xx series switches support hardware offloading with bonding interfaces. Only 802.3ad and balance-xor bonding modes are hardware offloaded, other bonding modes will use the CPU's resources. You can find more information about the bonding interfaces in the Bonding Interface section. If 802.3ad mode is used, then LACP (Link Aggregation Control Protocol) is supported.

To create a hardware offloaded bonding interface, you must create a bonding interface with a supported bonding mode:

/interface bonding
add mode=802.3ad name=bond1 slaves=ether1,ether2

This interface can be added to a bridge alongside with other interfaces:

Note: Don't add interfaces to a bridge that are already in a bond, RouterOS will not allow you to add an interface that is already a slave to a bridge as there is no need to do it since a bonding interface already contains the slave interfaces.

Make sure that the bonding interface is hardware offloaded by checking the "H" flag:

Note: The built-in switch chip will always use Layer2+Layer3+Layer4 for transmit hash policy, changing the transmit hash policy manually will have no effect.

Port isolation

Since RouterOS v6.43 is it possible to create a Private VLAN setup on CRS3xx series switches, example can be found in the Switch chip port isolation manual page.

IGMP Snooping

CRS3xx series switches are capable of using IGMP Snooping on a hardware level. To see more detailed information, you should check out the IGMP Snooping manual page.

DHCP Snooping and DHCP Option 82

CRS3xx series switches are capable of using DHCP Snooping with Option 82 on a hardware level. To see more detailed information, you should check out the DHCP Snooping and DHCP Option 82 manual page.

Mirroring

Mirroring lets the switch 'sniff' all traffic that is going in a switch chip and send a copy of those packets out to another port (mirror-target). This feature can be used to easily set up a 'tap' device that allows you to inspect the traffic on your network on a traffic analyzer device. It is possible to set up a simple port based mirroring where, but it is also possible to setup more complex mirroring based on various parameters. Note that mirror-target port has to belong to same switch. (See which port belong to which switch in /interface ethernet menu). Also mirror-target can have a special 'cpu' value, which means that 'sniffed' packets will be sent out of switch chips cpu port. There are many possibilities that can be used to mirror certain traffic, below you can find most common mirroring examples:

There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.

Quality of Service (QoS)

It is possible to limit certain type of traffic using ACL rules. For CRS3xx series switches it is possible to limit ingress traffic that matches certain parameters and it is possible to limit ingress/egress traffic per port basis. For ingress traffic QoS policer is used, for egress traffic QoS shaper is used.

There are other options as well, check the ACL section to find out all possible parameters that can be used to match packets.

Note: The CRS3xx Switch Rule table is used for QoS functionality, it supports up to 128 entries.

Traffic Storm Control

Since RouterOS v6.42 it is possible to enable traffic storm control on CRS3xx series devices. It is possible to limit broadcast, unknown multicast and unknown unicast traffic. These settings should be applied to ingress ports, the egress traffic will be limited.

Note: The storm control parameter is specified in percentage (%) of the link speed. If your link speed is 1Gbps, then specifying storm-rate as 10 will allow only 100Mbps of broadcast, unknown multicast and/or unknown unicast traffic to be forwarded.

Sub-menu:/interface ethernet switch port

Property

Description

limit-broadcasts (yes | no; Default: yes)

Limit broadcast traffic on switch port.

limit-unknown-multicasts (yes | no; Default: no)

Limit unknown multicast traffic on switch port.

limit-unknown-unicasts (yes | no; Default: no)

Limit unknown unicast traffic on switch port.

storm-rate (integer 0..100; Default: 100)

Amount of broadcast, unknown multicast and/or unknown unicast traffic is limited to in percentage of the link speed.

Warning: Devices with Marvell-98DX3236 switch chip cannot distinguish unknown multicast traffic from all multicast traffic. For example, CRS326-24G-2S+ will limit all multicast traffic when limit-unknown-multicasts and storm-rate is used. For other devices, for example, CRS317-1G-16S+ the limit-unknown-multicasts parameter will limit only unknown multicast traffic (addresses that are not present in /interface bridge mdb

For example, to limit 1% (10Mbps) of broadcast and unknown unicast traffic on ether1 (1Gbps), use the following commands:

MPLS hardware offloading

Since RouterOS v6.41 it is possible to offload certain MPLS functions to the switch chip, the switch must be a (P)rovider router in a PE-P-PE setup in order to achieve hardware offloading. Setup example can be found in the Basic MPLS setup example manual page.

Note: Currently only CRS317-1G-16S+ and CRS309-1G-8S+ using RouterOS v6.41 and newer are capable of hardware offloading certain MPLS functions. CRS317-1G-16S+ and CRS309-1G-8S+ built-in switch chip is not capable of popping MPLS labels from packets, in a PE-P-PE setup you either have to use explicit null or disable TTL propagation in MPLS network to achieve hardware offloading.

Switch Rules (ACL)

Access Control List contains of ingress policy and egress policy engines and allows to configure up to 128 policy rules (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

Note: ACL rules are checked for each packet until a match has been found. If there are multiple rules that can match, then only the first rule will be triggered. A rule without any action parameters is a rule to accept the packet.

Changes the destination port as specified. An empty setting will drop the packet. A specified port will redirect the packet to it. When the parameter is not used, the packet will be accepted.
Multiple "new-dst-ports" are not supported on CRS3xx series switches.

new-vlan-id (0..4095)

Changes the VLAN ID to the specified value. Requires vlan-filtering=yes.

Note: For VLAN related matchers or VLAN related action parameters to work, you need to enable vlan-filtering on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise these parameters will not have any effect.

Warning: When vlan-protocol is set to 802.1Q, then VLAN related ACL rules are relevant to 0x8100 (CVID) packets, this includes vlan-id and new-vlan-id. When vlan-protocol is set to 802.1ad, then ACL rules are relevant to 0x88A8 (SVID) packets. For example, with 802.1Q the vlan-id matcher will match CVID packets, but with 802.1ad the vlan-id matcher will match SVID packets.

Port Security

It is possible to limit allowed MAC addresses on a single switch port on CRS3xx series switches. For example, to allow 64:D1:54:81:EF:8E start by switching multiple ports together, in this example 64:D1:54:81:EF:8E is going to be located behind ether1.

Create an ACL rule to allow the given MAC address and drop all other traffic on ether1 (for ingress traffic):

Warning: Broadcast traffic will still be sent out from ether1. To limit broadcast traffic flood on a bridge port, you can use the broadcast-flood parameter to toggle it. Do note that some protocols depend on broadcast traffic, such as streaming protocols and DHCP.

Dual Boot

“Dual boot” feature allows you to choose which operating system you prefer to use, RouterOS or SwOS. Device operating system could be changed using:

Configuring SwOS using RouterOS

Since RouterOS 6.43 it is possible to load, save and reset SwOS configuration, as well as upgrade SwOS and set an IP address for the switch by using RouterOS.

Save configuration with /system swos save-config

Note: Configuration will be saved on the same device with swos.config as filename, make sure you download the file off your device since the configuration file will be removed after a reboot.

Load configuration with /system swos load-config

Reset configuration with /system swos reset-config

Set static IP address with /system swos set-address

Note: By setting a static IP address you are not changing the IP address acquisition process, which is DHCP with fallback by default. This means that the configured static IP address will become active only when there is going to be no DHCP servers in the same broadcast domain.

Upgrade SwOS from RouterOS using /system swos upgrade

Note: The upgrade command will automatically install the latest available SwOS version, make sure that your device has access to the Internet in order for the upgrade process to work properly.